Threat Modelling for Developers training course

Learn how to identify, analyse and mitigate security threats early in the software development lifecycle using modern threat modelling techniques. Through practical exercises and real-world scenarios, you'll apply current cybersecurity best practices, including Secure by Design, DevSecOps, OWASP, STRIDE, MITRE ATT&CK and Agile development workflows to build more secure applications from the outset.

JBI training course London UK

"The topics (threat modelling frameworks, zones of trust, annotating your own diagrams, implementing security into Agile practices) were all well-chosen and appropriate.GL, Software Engineer, Threat Modelling, February 2021

Public Courses

17/08/26 - 2 days
£1500 +VAT
28/09/26 - 2 days
£1500 +VAT
09/11/26 - 2 days
£1500 +VAT

Customised Courses

* Train a team
* Tailor content
* Flex dates
From £1200 / day
EDF logo Capita logo Sky logo NHS logo RBS logo BBC logo CISCO logo
JBI training course London UK

  • Gain an overview of secure SDLC and understand how threat modelling fits in
  • Understand where and how Agile architecture fits in
  • Gain an introduction to several common security classification systems
  • Define elements of software that are security concerns
  • Explore threat model types
  • Learn about the traditional threat model process
  • Discover dependencies
  • Understand the Rapid Threat Model Prototyping (RTMP) process
  • Apply Zones of Trust and use Zone rules to find threats
  • Understand how to quickly classify threats
  • Learn mitigation analysis
  • Integrate RTMP in an Agile/DevOps process
  • Convert risks into backlog items
  • Learn validation and triaging of threats
  • Explore threat modelling of an internal system
  • Identify vulnerabilities and tackle them with threat models
  • Discover the relationship with threats and the Mitre ATT&CK framework
  • Create the ability to use key parts of the Common Weakness Enumeration (CWE), OWASP Top 10 (OT10) and STRIDE in finding threats and mitigations
  • Learn how to integrate the secure aspects of the AWS and Azure Well-Architected frameworks into a threat model

 

An excerpt from a 2 day JBI Threat Modelling training course showing an agile architecture session.

Overview

• The main recipients for the course are security subject-matter experts,  technical non-security professionals who have no/little experience of threat modelling (e.g. software devs, architects and engineers) and technically-oriented project leaders.

• The purpose of the course is to deliver the concept of threat modelling and to be able to complete a basic threat model using the Rapid Threat Model Prototyping methodology.

• By the end of the course, the class will understand threats, mitigations and risk rankings and will be able to use basic threat modelling techniques to drastically improve secure design of software.

• The course will enable participants to integrate RTMP into any software development process.

Threat modelling 101

• Overview of secure SDLC

• How Threat Modelling fits into a secure SDLC

• How Agile Architecture fits in

• Introduction to several common security classification systems

• What are STRIDE and OWASP Top 10

• Mini Lab - mapping system relationships

• Defining elements of software that are security concerns

• Threat Model types

• Traditional threat model process and its shortcomings

• The importance of context diagrams to threat modelling and reusing existing software designs

• Dependencies

• Mini Lab - discovering dependencies    

Rapid Threat Model Prototyping 201

• Pareto Rule (80/20 ratio) and use in secure software development

• Introduction to the Rapid Threat Model Prototyping methodology

• Elements of a threat model

• How to integrate RTMP in an Agile/DevOps process

• Zones of Trust and using Zone rules to find threats

• Adding Zone and threat metadata to a software diagram

• Mini Lab - applying Zone rules • Mitigation analysis

• Mini Lab - discovering mitigations

• Validation and triaging of results in an Agile/DevOps process

• Lab – full threat model of an internal system    

Rapid Threat Model Prototyping 301

• How to convert risks into backlog items that are prioritised accordingly (e.g. into Jira, MS DevOps or similar workflow systems)

• Examples and open conversation of threat models that you have from the real world, starting with simple systems and building up to more complicated systems

• How to use RTMP to quickly highlight flows/processes/etc that are high risk

• Advanced techniques using calculation of the RTMP elements. Formulae are outlined and broken down for comprehension.

• Discussion around how to implement a good security champion program to drive deep adoption of Rapid Threat Model Prototyping across the software development lifecycle.

• Use of RTMP in other parts of a business.

JBI training course London UK

The main recipients for the course are security subject-matter experts,  technical non-security professionals who have no/little experience of threat modelling (e.g. software devs, architects and engineers) and technically-oriented project leaders.


5 star

4.8 out of 5 average

"The topics (threat modelling frameworks, zones of trust, annotating your own diagrams, implementing security into Agile practices) were all well-chosen and appropriate.GL, Software Engineer, Threat Modelling, February 2021



“JBI  did a great job of customizing their syllabus to suit our business  needs and also bringing our team up to speed on the current best practices. Our teams varied widely in terms of experience and  the Instructor handled this particularly well - very impressive”

Brian F, Team Lead, RBS, Data Analysis Course, 20 April 2022

 

 

JBI training course London UK

Newsletter


Sign up for the JBI Training newsletter to receive technology tips directly from our instructors - Analytics, AI, ML, DevOps, Web, Backend and Security.
 



Threat modelling is a process to identify security weaknesses in software design and architecture, and define countermeasures that mitigate the malicious effects of the discovered weaknesses before any code is cut.

Our Threat Modelling  training course is designed for software developers and architects in mind. Threat modelling is language-agnostic. It can be easily used for any software development project and with any modern workflow such as Agile or DevOps. The analysis work is done on the design of the software system in order to improve the quality of the code that will be delivered in-sprint.
 
You will learn how to address security design concerns faced by software development teams with a combination of teaching modules and practical threat model exercises. The participants will be encouraged to work in teams, to foster discussions on how to implement security controls for the modelled threats on their software architecture.
 
All key stakeholders in an application development workflow should know how to assess the weak points in their systems and what questions to ask. The course will provide a framework to assess these questions and will yield immediate beneficial results.
 
You will gain a practical overview of the necessary disciplines for resolving application architecture and design issues according to OWASP good security practices.
 
We aim to instill skills that allow you to perform rapid threat modelling in a consistent, repeatable and measurable manner.

JBI Training offers a broad range of cyber security and application security courses covering both technical and managerial disciplines. Available courses include Threat Modelling for Developers, Secure Web Application Development, OWASP Top 10 Practical Web Application Security, TLS and PKI in Practice, Secure Coding for Java and JavaScript, Secure Coding in ASP.NET, Secure Coding in PHP, Security for Python, Secure by Design, Post Quantum Cryptography, Social Engineering, Information Security, Cyber Attack Simulation, PCI DSS Compliance, CISSP, CISM, CISA, Certificate of Cloud Security Knowledge (CCSK), and Certificate of Cloud Auditing Knowledge (CCAK). All courses are available as scheduled classroom sessions in London, as live online instructor-led training, or as customised onsite programmes for development and security teams.
Threat modelling is a structured process used to identify security weaknesses in software design and architecture before any code is written. It involves creating an abstraction of the system, profiling potential attackers and their methods, and producing a catalogue of threats so that countermeasures can be defined and prioritised early in the development lifecycle. It is particularly important for developers and architects because it identifies design flaws that code reviews and testing alone may miss, reduces the cost of remediation by detecting issues before deployment, and integrates naturally into Agile and DevOps workflows. JBI's Threat Modelling for Developers course is language-agnostic and suitable for teams working with any modern development process.
The OWASP Top 10 is a widely recognised list of the most critical security risks to web applications, published by the Open Web Application Security Project. It covers vulnerabilities such as injection attacks, broken authentication, insecure design, security misconfigurations, vulnerable components, and others that are commonly exploited in real-world attacks. JBI offers a dedicated OWASP Top 10 Practical Web Application Security course, and OWASP principles are also embedded in the Secure Web Application Development and Threat Modelling courses. These courses are suitable for developers, security engineers, and QA professionals who need to understand and address common web application vulnerabilities.
Yes. A significant part of JBI's security curriculum is specifically designed for developers and software engineers rather than for dedicated security professionals. Courses such as Threat Modelling for Developers, Secure Web Application Development, Secure Coding for Java and JavaScript, Secure Coding in ASP.NET, Secure Coding in PHP, and Security for Python are aimed at development teams who need to build security into their code and architecture from the outset. These courses can be delivered as customised onsite programmes for software teams, tailored to the languages, frameworks, and development processes the team already uses.
JBI offers preparation courses for several internationally recognised security certifications. These include CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), Certificate of Cloud Security Knowledge (CCSK), and Certificate of Cloud Auditing Knowledge (CCAK). These courses are designed to prepare candidates for their respective examinations and are suitable for information security managers, auditors, risk professionals, and senior technical staff who want to demonstrate formal competence in information security management and cloud security.
Post Quantum Cryptography (PQC) refers to cryptographic algorithms designed to be resistant to attacks from quantum computers, which are expected to eventually break many of the encryption standards currently in use — including RSA and elliptic curve cryptography. Organisations in finance, government, defence, and critical infrastructure are beginning to assess and plan their migration to quantum-resistant algorithms in response to guidance from standards bodies including NIST. JBI's Post Quantum Cryptography course covers the threat landscape, the current state of quantum computing, the new PQC standards, and practical approaches to transitioning cryptographic infrastructure.
The Secure by Design course covers the principles and practices of building security into software and systems from the earliest stages of design, rather than adding it as an afterthought after development. Topics include security architecture patterns, design principles such as least privilege and defence in depth, risk-based design decisions, integrating security requirements into user stories and system specifications, and applying secure design thinking within Agile and DevOps environments. The course is aligned with current guidance from bodies including NCSC (National Cyber Security Centre) and is relevant for architects, senior developers, and technical leads.
Yes. All of JBI's security courses can be delivered as customised onsite or online programmes for corporate teams. Content can be tailored to the organisation's technology stack, development language, industry sector, compliance requirements, and security maturity level. JBI has delivered security training for organisations across financial services, healthcare, government, media, and technology, including clients such as the BBC, NHS, Cisco, RBS, and Capita. Organisations with specific regulatory or compliance obligations — such as PCI DSS, GDPR, or sector-specific frameworks — can request content that addresses those requirements directly.
TLS (Transport Layer Security) is the protocol used to encrypt data in transit across networks, and is the technology behind HTTPS and secure communications in modern applications. PKI (Public Key Infrastructure) is the framework of certificates, certificate authorities, and key management processes that underpin TLS and other certificate-based security mechanisms. JBI's TLS and PKI in Practice course covers how these technologies work in real deployment scenarios, common misconfigurations and vulnerabilities, certificate lifecycle management, and practical implementation for developers and infrastructure teams. This is particularly relevant for organisations managing APIs, microservices, internal networks, or customer-facing web applications.
Yes. JBI's security training content is continuously reviewed and updated to reflect the latest threat landscape, newly published vulnerabilities, updated standards, and current regulatory guidance. This includes updates to OWASP guidance, changes to cryptographic standards, emerging attack techniques such as AI-assisted social engineering and supply chain attacks, and the latest PQC standards from NIST. Delegates learn skills and concepts that are directly applicable to the security challenges organisations face today.

CONTACT
+44 (0)20 8446 7555

[email protected]

 

Copyright © 2026 JBI Training. All Rights Reserved.
JB International Training Ltd  -  Company Registration Number: 08458005
Registered Address: Wohl Enterprise Hub, 2B Redbourne Avenue, London, N3 2BS

Modern Slavery Statement & Corporate Policies | Terms & Conditions | Contact Us

POPULAR

AI training courses                                                                        CoPilot training course

Threat modelling training course   Python for data analysts training course

Power BI training course                                   Machine Learning training course

Spring Boot Microservices training course              Terraform training course

Data Storytelling training course                                               C++ training course

Power Automate training course                               Clean Code training course